Financial services firms may have focussed so much resource on complying with extensive regulatory compliance obligations that the implications of the new Crime and Policing Act 2026 (CPA 2026) may have escaped their attention.

On 29 June 2026, section 250 of the CPA 2026 will, in effect, abolish the common-law "directing mind and will" test for general corporate prosecutions (see our article here for more details). 

Until now, a head of a business line in a bank, for example, could break the general criminal law and, so long as no one proved the board directed or even knew about the breach, the firm itself would likely escape corporate criminal liability. That is now changing. It is the mirror opposite of the position prior to the introduction of the Senior Managers and Certification Regime ("SMCR"), when regulators found it easier to take action against firms than individuals.  This criminal law change will now make it easier to prosecute financial services firms for criminal wrongdoing of their senior managers. However, the definition of a senior manager under the CPA 2026 is wider than that under SMCR.

If a "senior manager" under the CPA 2026 commits a criminal offence while acting within the scope of their actual or apparent authority, the firm is liable. There is no need to prove the board approved, nor any need to show institutional knowledge. This attribution rule, however, does not apply to offences that only a body corporate can commit, for which liability arises under the specific statute rather than via the CPA 2026.

The offence attaches to the company the moment the qualifying individual acts. A "senior manager" is defined not by job title or regulatory status, but by function: anyone who plays a significant role in decision-making or who manages a substantial part of the business.

For the tens of thousands of firms regulated by the FCA under the SMCR , this matters.

Finding alignment between parallel regimes: SMCR and CPA 2026

The FCA has not – yet – provided any guidance on the application of the CPA 2026.  The application of SMCR to financial services firms does somewhat muddy the waters when trying to identify senior managers for the purposes of the CPA 2026. 

The FCA defines "senior manager" by reference to specific senior management functions (SMFs). SMFs are set out in SUP 10C.4.3R of the FCA Handbook and include CEOs, chief risk officers, executive directors and the like.

The CPA 2026, on the other hand, defines "senior manager" through a functional test embedded in statute. 

The two populations overlap, but crucially they aren't identical. Most SMF holders will fall within the Section 250 definition, but the reverse isn't true: a divisional head running a £200m business line, a senior operations director with authority over product distribution, or a regional managing director with budget sign-off – none of these necessarily holds an SMF role, but all of them could qualify as senior managers under the CPA 2026. Individuals considered to be senior managers under the CPA 2026 could capture certain certified persons under SMCR, for example individuals performing the significant management certification function, some material risk-takers, and potentially even the CASS oversight function.

Being able to identify all in-scope individuals for CPA 2026 purposes is where the risk lies for regulated firms.

From regulatory sanction to criminal charge

Under the SMCR, when governance fails, the consequences are regulatory. The FCA would typically first consider whether a firm has breached a relevant regulatory requirement, and whether the FCA should take action – taking into account, for example, the factors in DEPP 6.2.1G of the FCA Handbook. It would then, or in tandem, consider whether an individual should be held accountable. (Of course, there may alternatively be scenarios where regulatory breaches are only by a regulated individual and not the firm itself, for which only the regulated individual would be held accountable). The FCA can fine, prohibit, impose a suspension/limitation/condition, or publicly censure an individual. The sanctions may be significant, but they operate within a framework that offers protections. An SMF holder can defend themselves by showing they took "reasonable steps" to prevent the breach.

The CPA 2026 offers no equivalent. There is no "reasonable procedures" defence of the kind that exists under the failure to prevent fraud offence. If a qualifying senior manager commits an offence within the scope of their authority, the firm is liable.

Put simply, a firm that has invested heavily in its SMCR framework might reasonably have assumed it was building a defence, but under the CPA 2026, it has built something closer to a prosecution exhibit.

Governance documents now face two audiences

Prosecutors may well reach for the same materials that the FCA already examines: statements of responsibilities, management responsibility maps, governance frameworks, delegation authorities, terms of reference for committees and the like. Although these documents were designed for regulatory purposes under FSMA, they now, in effect, serve a dual function.

The Crown Prosecution Service and the Serious Fraud Office are likely to treat such documentation as the starting point for identifying who qualifies as a senior manager under the CPA 2026. The logic is straightforward: if a firm has already mapped out who holds significant decision-making authority, that map will guide investigators. But because the statutory test under the CPA 2026 is broader than the SMCR definition, prosecutors won't be forced to stop at the SMF boundary. They'll follow the trail of actual authority wherever it leads.

What regulated firms should do now

The practical response requires more than updating a risk register. We'd suggest five concrete steps to start:

• map the 'real' (wider) senior manager population: don't rely on the SMF list. Identify every individual who plays a significant role in decision-making or manages a substantial part of the business. Pay particular attention to leaders who exercise genuine authority without holding a formal SMF designation;
• stress-test delegation structures: where does real authority sit, and does it match the formal governance documentation? Firms with complex matrix structures or heavily devolved business models are most exposed. If a product head in a remote location can approve a pricing strategy without board sign-off, that person may well be a senior manager under the CPA 2026, regardless of what the organisation chart says;
• broaden risk assessments beyond financial crime. The CPA 2026 applies to all criminal offences, not just economic crime. Environmental regulations, health and safety law, data protection: any area where operational decisions could give rise to criminal liability now falls within scope;
• train senior operational staff. Focus on individuals below the SMF threshold who hold budget authority, control business lines or make product and distribution decisions. These people may never have considered themselves at the sharp end of criminal risk; and
• treat all governance documentation as litigation-grade material. Every committee minute, every delegation memo, every responsibility map should be drafted on the assumption that it might be disclosed in a criminal investigation.

Until the CPA 2026, corporate criminal liability in England and Wales turned on a single inquiry: did the board know? The CPA 2026 replaces that question with a different one: was the person who acted a senior manager? The answer will often be yes, and the firm will bear the consequences whether or not anyone above that person was aware.

For PRA and/or FCA-regulated firms, the SMCR has quietly shifted from being a regulatory accountability tool to becoming a central pillar of criminal risk management. The frameworks firms built to satisfy the FCA now define their exposure to the Crown Prosecution Service. That's a change worth taking seriously and worth acting on before 29 June.